#12248 8/9/10/11 Adding last 4 event types (VSX, VXLAN (and agent) and Zero Touch) #12302
Conversation
VSX Sync events (760x) VXLAN events (81xx) VXLAN agent events (1250x) Zero touch provisioning events (87xx) logs, parsing and docs against OS 10.15
qcorporation
added
New Integration
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
🚀 Benchmarks reportTo see the full report comment with |
packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
| @@ -3054,6 +3064,63 @@ processors: | |||
| patterns: | |||
| - "^Bluetooth device %{DATA:event.action}: %{MAC:client.mac}" | |||
|
|
|||
| # VXLAN events (81xx) | |||
There was a problem hiding this comment.
maybe add a comment about how 8118 doesn't need further processing? We did that in other places.
There was a problem hiding this comment.
@dwhyrock I was thinking about this. It'll be a maintenance nightmare to continue doing this, especially when they have a new OS update.
I was considering going back and removing all those instances where we marked them as not processed.
Technically, we are still processing it, but since there is no data to extract besides the message header, there's no additional parsing logic. Do we have to call that out?
There was a problem hiding this comment.
yea, that sounds like a decent plan. It was probably only really useful for these initial reviews anyway. You're right, in the future, there will likely be updates where some of those messages may need to be further processed, etc. I'm cool if we don't call those out.
| @@ -3368,6 +3435,54 @@ processors: | |||
| - "^Finish packet was received on MSDP Peer %{IP:client.ip}" | |||
| - "^Failed to add SA Cache entry: S=%{IP:source.ip}, G=%{IP:aruba.msdp.grp_ip}, R=%{IP:aruba.msdp.rp_ip} for Peer %{IP:client.ip} as MSDP SA Cache Limit is reached" | |||
|
|
|||
| # Zero touch provisioning events (87xx) | |||
| # https://www.arubanetworks.com/techdocs/AOS-CX/10.15/HTML/elmrg/Content/events/ZTPD.htm | |||
There was a problem hiding this comment.
maybe add a comment about how message codes 8701-8715, 8723, 8726, and 8729 don't need further processing (and 8716, 8717, 8722, and 8725 don't exist)?
There was a problem hiding this comment.
@dwhyrock see above #12302 (comment)
With regards to the missing event ID, I don't know - it's not present in the zero-touch events documentation.
There are other instances of other Event Types (which I can't recall right now) where they skipped a few Event IDs. I'm not sure of the reason. Zero-Touch is more prevalent.
💚 Build Succeeded
History
|
|
Parent Ticket:
#12248
Description
VSX Sync events (760x)
VXLAN events (81xx)
VXLAN agent events (1250x)
Zero-touch provisioning events (87xx)
logs, parsing and docs against OS 10.15